removed channel bindings from KDC

Author: Theo Dumitrescu (from Dev Box)

Kerberos.NET/Server/KdcMessageHandlerBase.cs

@@ -25,20 +25,6 @@ public abstract class KdcMessageHandlerBase
 
         protected KdcServerOptions Options { get; }
 
-        /// <summary>
-        /// Expected channel bindings for this request's TGS-REQ validation.
-        /// </summary>
-        public GssChannelBindings ExpectedChannelBindings { get; set; }
-
-        /// <summary>
-        /// Accepts a raw SEC_CHANNEL_BINDINGS buffer
-        /// and converts it to <see cref="ExpectedChannelBindings"/>.
-        /// </summary>
-        public void SetExpectedChannelBindingsFromSecChannelBindings(ReadOnlyMemory<byte> buffer)
-        {
-            this.ExpectedChannelBindings = GssChannelBindings.FromSecChannelBindings(buffer);
-        }
-
         protected IRealmService RealmService { get; private set; }
 
         public IDictionary<PaDataType, PreAuthHandlerConstructor> PreAuthHandlers => this.preAuthHandlers;
@@ -117,10 +103,7 @@ public virtual async Task<ReadOnlyMemory<byte>> ExecuteAsync()
         {
             try
             {
-                var context = new PreAuthenticationContext
-                {
-                    ExpectedChannelBindings = this.ExpectedChannelBindings
-                };
+                var context = new PreAuthenticationContext();
 
                 this.DecodeMessage(context);
 
@@ -144,10 +127,7 @@ public virtual ReadOnlyMemory<byte> Execute()
         {
             try
             {
-                var context = new PreAuthenticationContext
-                {
-                    ExpectedChannelBindings = this.ExpectedChannelBindings
-                };
+                var context = new PreAuthenticationContext();
 
                 this.DecodeMessage(context);
 

Kerberos.NET/Server/PaDataTgsTicketHandler.cs

@@ -17,7 +17,7 @@ public PaDataTgsTicketHandler(IRealmService service)
         {
         }
 
-        public ValidationActions Validation { get; set; } = ValidationActions.All & ~ValidationActions.Replay;
+        public ValidationActions Validation { get; set; } = ValidationActions.All & ~ValidationActions.Replay & ~ValidationActions.ChannelBinding;
 
         /// <summary>
         /// Executes before the validation stage and can be used for initial decoding of the message.
@@ -39,7 +39,7 @@ public override void PreValidate(PreAuthenticationContext preauth)
 
             var state = preauth.GetState<TgsState>(PaDataType.PA_TGS_REQ);
 
-            state.DecryptedApReq = this.DecryptApReq(state.ApReq, preauth.EvidenceTicketKey, preauth.ExpectedChannelBindings);
+            state.DecryptedApReq = this.DecryptApReq(state.ApReq, preauth.EvidenceTicketKey);
         }
 
         /// <summary>
@@ -101,7 +101,7 @@ public override KrbPaData Validate(KrbKdcReq asReq, PreAuthenticationContext con
 
             var state = context.GetState<TgsState>(PaDataType.PA_TGS_REQ);
 
-            state.DecryptedApReq ??= this.DecryptApReq(state.ApReq, context.EvidenceTicketKey, context.ExpectedChannelBindings);
+            state.DecryptedApReq ??= this.DecryptApReq(state.ApReq, context.EvidenceTicketKey);
 
             context.EncryptedPartKey = state.DecryptedApReq.SessionKey;
             context.Ticket = state.DecryptedApReq.Ticket;
@@ -135,14 +135,12 @@ public static KrbApReq ExtractApReq(PreAuthenticationContext context)
             return state.ApReq;
         }
 
-        private DecryptedKrbApReq DecryptApReq(KrbApReq apReq, KerberosKey krbtgtKey, GssChannelBindings expectedChannelBindings)
+        private DecryptedKrbApReq DecryptApReq(KrbApReq apReq, KerberosKey krbtgtKey)
         {
             var apReqDecrypted = new DecryptedKrbApReq(apReq, MessageType.KRB_TGS_REQ);
 
             apReqDecrypted.Decrypt(krbtgtKey);
 
-            apReqDecrypted.ExpectedChannelBindings = expectedChannelBindings;
-
             apReqDecrypted.Validate(this.Validation);
 
             return apReqDecrypted;

Kerberos.NET/Server/PreAuthenticationContext.cs

@@ -90,11 +90,6 @@ public class PreAuthenticationContext
         /// </summary>
         public bool? IncludePac { get; set; }
 
-        /// <summary>
-        /// Expected channel bindings for AP-REQ validation during TGS-REQ processing.
-        /// </summary>
-        public GssChannelBindings ExpectedChannelBindings { get; set; }
-
         /// <summary>
         /// Retrieve the current pre-authentication state for a particular PA-Data type.
         /// If the initial state is not present it will be created.

Tests/Tests.Kerberos.NET/Kdc/KdcHandlerTests.cs

@@ -495,179 +495,5 @@ public void AsReqPreAuth_PkinitCertificateAccessible()
                 Assert.AreEqual(credCert.Thumbprint, clientCert.Thumbprint);
             }
         }
-
-        // -- TGS-REQ Channel Binding Tests --
-
-        private static readonly byte[] TgsTestChannelBinding = new byte[]
-        {
-            0x74, 0x6C, 0x73, 0x2D, 0x73, 0x65, 0x72, 0x76,
-            0x65, 0x72, 0x2D, 0x65, 0x6E, 0x64, 0x2D, 0x70,
-            0x6F, 0x69, 0x6E, 0x74, 0x3A, 0xAA, 0xBB, 0xCC,
-            0xDD, 0xEE, 0xFF, 0x00, 0x11, 0x22, 0x33, 0x44
-        };
-
-        [TestMethod]
-        public void KdcTgsReq_ChannelBinding_MatchingBindings_Succeeds()
-        {
-            // Channel bindings used by client in TGS-REQ
-            // The same channel bindings are expected by the server
-            // thus should result in a successful TGS-REQ processing
-            var bindings = new GssChannelBindings { ApplicationData = TgsTestChannelBinding };
-
-            KrbAsRep asRep = RequestTgt(cname: Upn, crealm: Realm, srealm: Realm, out KrbEncryptionKey tgtKey);
-
-            var tgsReq = KrbTgsReq.CreateTgsReq(
-                new RequestServiceTicket
-                {
-                    Realm = Realm,
-                    ServicePrincipalName = "host/foo." + Realm,
-                    ChannelBindings = bindings
-                },
-                tgtKey, asRep, out _);
-
-            var handler = new KdcTgsReqMessageHandler(tgsReq.EncodeApplication(), new KdcServerOptions
-            {
-                DefaultRealm = Realm,
-                IsDebug = true,
-                RealmLocator = realm => new FakeRealmService(realm)
-            });
-
-
-            handler.ExpectedChannelBindings = bindings;
-
-            var results = handler.Execute();
-
-            var tgsRep = KrbTgsRep.DecodeApplication(results);
-            Assert.IsNotNull(tgsRep);
-        }
-
-        [TestMethod]
-        public void KdcTgsReq_ChannelBinding_Mismatch_ReturnsError()
-        {
-            // Channel bindings used by client in TGS-REQ
-            // Different channel bindings are expected by the server
-            // thus should result in an error
-            var clientBindings = new GssChannelBindings { ApplicationData = TgsTestChannelBinding };
-            var serverBindings = new GssChannelBindings { ApplicationData = new byte[] { 0xFF, 0xFE, 0xFD } };
-
-            KrbAsRep asRep = RequestTgt(cname: Upn, crealm: Realm, srealm: Realm, out KrbEncryptionKey tgtKey);
-
-            var tgsReq = KrbTgsReq.CreateTgsReq(
-                new RequestServiceTicket
-                {
-                    Realm = Realm,
-                    ServicePrincipalName = "host/foo." + Realm,
-                    ChannelBindings = clientBindings
-                },
-                tgtKey, asRep, out _);
-
-            var handler = new KdcTgsReqMessageHandler(tgsReq.EncodeApplication(), new KdcServerOptions
-            {
-                DefaultRealm = Realm,
-                IsDebug = true,
-                RealmLocator = realm => new FakeRealmService(realm)
-            });
-
-            handler.ExpectedChannelBindings = serverBindings;
-
-            var results = handler.Execute();
-
-            var error = KrbError.DecodeApplication(results);
-            Assert.AreEqual(KerberosErrorCode.KRB_ERR_GENERIC, error.ErrorCode);
-        }
-
-        [TestMethod]
-        public void KdcTgsReq_ChannelBinding_ServerExpectsNone_Succeeds()
-        {
-            // Channel bindings used by client in TGS-REQ
-            var clientBindings = new GssChannelBindings { ApplicationData = TgsTestChannelBinding };
-
-            KrbAsRep asRep = RequestTgt(cname: Upn, crealm: Realm, srealm: Realm, out KrbEncryptionKey tgtKey);
-
-            var tgsReq = KrbTgsReq.CreateTgsReq(
-                new RequestServiceTicket
-                {
-                    Realm = Realm,
-                    ServicePrincipalName = "host/foo." + Realm,
-                    ChannelBindings = clientBindings
-                },
-                tgtKey, asRep, out _);
-
-            // Server does not expect channel bindings
-            var handler = new KdcTgsReqMessageHandler(tgsReq.EncodeApplication(), new KdcServerOptions
-            {
-                DefaultRealm = Realm,
-                IsDebug = true,
-                RealmLocator = realm => new FakeRealmService(realm)
-                // ExpectedChannelBindings = null
-            });
-
-            var results = handler.Execute();
-
-            // Should succeed even though client included channel bindings as the server does not require them
-            var tgsRep = KrbTgsRep.DecodeApplication(results);
-            Assert.IsNotNull(tgsRep);
-        }
-
-        [TestMethod]
-        public void KdcTgsReq_ChannelBinding_ServerExpects_ClientOmits_ReturnsError()
-        {
-            // Server expects channel bindings but client omits them in TGS-REQ
-            var serverBindings = new GssChannelBindings { ApplicationData = TgsTestChannelBinding };
-
-            KrbAsRep asRep = RequestTgt(cname: Upn, crealm: Realm, srealm: Realm, out KrbEncryptionKey tgtKey);
-
-            var tgsReq = KrbTgsReq.CreateTgsReq(
-                new RequestServiceTicket
-                {
-                    Realm = Realm,
-                    ServicePrincipalName = "host/foo." + Realm
-                },
-                tgtKey, asRep, out _);
-
-            // Server expects channel bindings
-            var handler = new KdcTgsReqMessageHandler(tgsReq.EncodeApplication(), new KdcServerOptions
-            {
-                DefaultRealm = Realm,
-                IsDebug = true,
-                RealmLocator = realm => new FakeRealmService(realm)
-            });
-
-            handler.ExpectedChannelBindings = serverBindings;
-
-            var results = handler.Execute();
-
-            // Expect an error due to missing channel bindings in client
-            var error = KrbError.DecodeApplication(results);
-            Assert.AreEqual(KerberosErrorCode.KRB_ERR_GENERIC, error.ErrorCode);
-        }
-
-        [TestMethod]
-        public void KdcTgsReq_NoChannelBindings_Succeeds()
-        {
-            // Neither client nor server uses channel bindings
-            // should succeed without error
-            KrbAsRep asRep = RequestTgt(cname: Upn, crealm: Realm, srealm: Realm, out KrbEncryptionKey tgtKey);
-
-            var tgsReq = KrbTgsReq.CreateTgsReq(
-                new RequestServiceTicket
-                {
-                    Realm = Realm,
-                    ServicePrincipalName = "host/foo." + Realm
-                },
-                tgtKey, asRep, out _);
-
-            var handler = new KdcTgsReqMessageHandler(tgsReq.EncodeApplication(), new KdcServerOptions
-            {
-                DefaultRealm = Realm,
-                IsDebug = true,
-                RealmLocator = realm => new FakeRealmService(realm)
-            });
-
-            var results = handler.Execute();
-
-            var tgsRep = KrbTgsRep.DecodeApplication(results);
-            Assert.IsNotNull(tgsRep);
-        }
     }
 }